[ZH-PLACEHOLDER] How we think about security
[ZH-PLACEHOLDER] We treat security as a baseline property of the product, not as a feature on top. That means: defaults that are safe, configurations that are minimal, dependencies that are kept current, and access that is granted by need rather than by convenience. The same engineers who ship features also handle the security implications of those features.
This page summarises what we do — the certifications we hold, where data lives, how payments are protected, and how to report a vulnerability if you find one.
[ZH-PLACEHOLDER] Certifications and compliance
[ZH-PLACEHOLDER] We are bound by, and audit ourselves against, the following frameworks:
- GDPR — full compliance with the EU General Data Protection Regulation, including a published privacy policy, a documented record of processing activities, and a designated data-protection contact.
- PCI DSS — payment card data is handled exclusively by Stripe, which is PCI Level 1 certified. We never see, store, or transmit raw card numbers.
- ISO 27001 — our hosting and platform vendors are certified; our internal information-security management system mirrors the same controls.
- SOC 2 Type II — completed annually for the customer-facing platform.
Certificate copies are available on request via the contact page.
[ZH-PLACEHOLDER] Encryption in transit and at rest
[ZH-PLACEHOLDER] All traffic to and from the site uses TLS 1.3; older protocols are disabled at the load-balancer level. HSTS is enforced with a preload window so that browsers refuse to connect over plaintext HTTP after the first visit.
Data at rest in our database and object storage is encrypted with AES-256. Encryption keys are managed by the cloud provider's KMS; no engineer holds a long-lived plaintext key.
[ZH-PLACEHOLDER] Access controls
[ZH-PLACEHOLDER] Production access is restricted to a small number of named engineers. Authentication is via SSO with mandatory MFA — typically a hardware security key. There are no shared accounts and no static service-account passwords; every long-lived credential is rotated automatically.
Every action against production data is logged with the actor, the time, and the affected record. Logs are immutable and retained for 12 months.
[ZH-PLACEHOLDER] Payment security
[ZH-PLACEHOLDER] All payments flow through Stripe (and, for Polish buyers, Przelewy24). Both are PCI-DSS certified payment processors. The card form is rendered inside their sandbox so card data never touches our servers; we receive only a tokenised reference.
We enable 3-D Secure 2 by default and rely on Stripe's risk engine plus our own velocity rules to flag fraudulent attempts. Refunds are routed back through the original method with no manual handling of card data.
[ZH-PLACEHOLDER] Your data
[ZH-PLACEHOLDER] We collect the minimum required to deliver an order: name, billing address, email, payment reference. We do not sell personal data to anyone, ever. We do not embed third-party advertising trackers.
Under the GDPR you have the right to access your data, correct it, export it, or delete it. The privacy policy explains how to exercise those rights and how long each category of data is retained.
[ZH-PLACEHOLDER] Responsible disclosure
[ZH-PLACEHOLDER] If you believe you have found a security issue, please write to us via the contact page and we will respond within one business day. Tell us what the issue is, where, and how to reproduce it. We do not currently run a paid bug-bounty programme, but we credit reporters who follow responsible disclosure on our public security acknowledgements page.
We ask that you do not test against other users' accounts, do not run automated scanners against production, and do not publicly disclose an issue before we have had a chance to fix it.